This can happen either on the MGMT machine itself, or via outside script.

In this example, I did it on the MGMT machine itself because every MGMT machine also has a tool called “JQ” which is preinstalled and allows to filter the results of the command. “show-changes” will show all changes that happened in the given session UID, and I’m sending the results to JQ which then filters them only to deleted access rules.

Step 1: get the session ID from the audit log card.

Step 2: On the security management machine, login and save the login details to a text file. We will use this text file to identify for the next command.